[Samba] user password hash

Rowland penny rpenny at samba.org
Wed Oct 9 07:11:06 UTC 2019 

On 09/10/2019 03:19, Nico Kadel-Garcia wrote:
> On Tue, Oct 8, 2019 at 8:04 AM Rowland penny via samba
> <samba at lists.samba.org> wrote:
>> On 08/10/2019 12:53, Jonathon Reinhart wrote:
>>>
>>> On Tue, Oct 8, 2019, 07:45 Rowland penny via samba
>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>>
>>>      On 08/10/2019 12:27, Elias Pereira via samba wrote:
>>>      > hello list,
>>>      >
>>>      > What kind of hashing/encryption samba4 ADDC uses for user
>>>      passwords? base64?
>>>
>>>
>>> Base64 is neither a hash nor an encryption algorithm; it is an encoding.
>> That is why I said 'basically' ;-)
>>>      >
>>>      > Thanks!
>>>      >
>>>      Basically yes, but it is a bit more involved, to create an AD users
>>>      passwords in bash, you would have to do something like this:
>>>
>>>      UNICODEPW=$(echo -n "\"$PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE |
>>>      base64 -w 0)
>>>
>>>
>>> Where is this scheme applied?
>> On my Hard drive ;-)
>>> Are you saying Samba stores plaintext passwords in the database?
>> No, that bit of bash turns a plain password into what you would store in
>> the users 'unicodePwd' attribute.
>>
>> For instance, if $PASSWORD == password , you would get
>> 'IgBwAGEAcwBzAHcAbwByAGQAIgA='
>>
>> Rowland
> I appreciate that this is how to pass the plaintext password for
> setting it, for storage by the Kerberos back end. If Samba is using
> Kerberos in normal fashion, *nothing* ever sees the plain text
> password again. A decent explanation lives at
> https://www.roguelynn.com/words/explain-like-im-5-kerberos/ , and
> there are many others.

Sorry but you are wrong ;-)

You can sync passwords with 'samba-tool user syncpasswords'

You could run something like this on a Samba AD DC:

ldbsearch -H /var/lib/samba/private/sam.ldb -b 
'dc=samdom,dc=example,dc=com' -s sub 
'(&(objectclass=user)(samaccountname=rowland))' unicodePwd

This will get you a users password, you just need to run it through the 
reverse of what I posted earlier to see the actual users password.

The OP asked what the password 'hash' was, I took this to mean 'how do I 
see a password', I suppose the question has to be 'why does he want to 
see the password'

Rowland

More information about the samba mailing list